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Abstract — NASA’s future human space exploration strategy 
includes single and multi-launch missions to various 
destinations including cis-lunar space, near Earth objects such 
as asteroids, and ultimately Mars. Each campaign is being 
defined by Design Reference Missions (DRMs). Many of these 
missions are complex, requiring multiple launches and 
assembly of vehicles in orbit. Certain missions also have 
constrained departure windows to the destination. These 
factors raise concerns regarding the reliability of launching 
and assembling all required elements in time to support 
planned departure. This paper describes an integrated 
methodology for analyzing launch and assembly reliability in 
any single DRM or set of DRMs starting with flight hardware 
manufacturing and ending with final departure to the 
destination. A discrete event simulation is built for each DRM 
that includes the pertinent risk factors including, but not 
limited to: manufacturing completion; ground transportation; 
ground processing; launch countdown; ascent; rendezvous and 
docking, assembly, and orbital operations leading up to trans- 
destination-injection. Each reliability factor can be selectively 
activated or deactivated so that the most critical risk factors 
can be identified. This enables NASA to prioritize mitigation 
actions so as to improve mission success. 
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1. Introduction 


Over the last several years, NASA has been analyzing 
strategies for future human exploration beyond Low Earth 
Orbit (LEO). Several of these strategies incorporate Design 
Reference Missions (DRMs) to various destinations 
including cis-lunar space, the Moon, Near Earth Asteroids 
(NEAs) and the Mars system. Because of the high energy 
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requirements to reach the various destinations, some of 
these DRMs require multiple launch vehicles to place crew 
and deep space vehicle elements in an assembly orbit prior 
to departure to the destination. The complex nature of these 
missions, coupled with specific destinations having 
constrained departure windows, calls into question the 
reliability of launching and assembling all the required 
elements in a timely manner to support the planned 
departure to the destination of interest. 

To assist in the reliability analysis, NASA has been 
developing an integrated methodology to analyze launch 
and assembly reliability. This work builds upon previous 
analyses performed for the Constellation program [1,2] and 
for the Review of Human Space Flight Plans Committee [3]. 

The integrated launch and assembly reliability methodology 
starts with flight hardware manufacturing and ends with 
final departure to a destination. Pertinent risk factors are 
accounted for within a stochastic discrete event simulation 
for each DRM. Reliability factors can be selectively 
activated or deactivated to understand the criticality of each 
factor and aid in the prioritization of mitigation strategies to 
improve overall mission success. 

This paper details the complexity and risks of launch and 
assembly in Section 2. Section 3 gives an overview of the 
human exploration missions that NASA is analyzing along 
with the concept of operation for a near Earth asteroid 
mission. The fourth section describes the simulation models. 
Section 5 lists the cases analyzed followed by the results in 
Section 6. Conclusions and forward work are addressed in 
Section 7. 

2. Complexity and Risks of Launch and 
Assembly 

Exploration beyond LEO introduces complexities and risks 
to missions that have the potential to reduce overall 
reliability. It is anticipated that most deep space missions 
will require multiple launches from Earth with some degree 
of spacecraft assembly in Earth vicinity. The process of 
completing all of the required launches and assembly 
activities could be complex and will certainly require 
significant time. Because most deep space mission 
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destinations have limited windows for departure from the 
assembly point, due to orbital mechanics, missions will have 
to be carefully staged so that launch and assembly activities 
can be reliably completed prior to the desired departure 
window. 

Key Constraints 

Deep space missions have several constraints that will 
directly impact the launch and assembly reliability. The 
primary constraint relates to the available departure window 
from the deep space vehicle assembly point to the 
destination. 

The duration, timing, and repeatability of departure 
windows for deep space missions are highly variable and 
depend heavily on the selected target. Lunar missions 
typically have departure windows that repeat in perpetuity 
on an average of every 9-10 days. Minimum energy 
departure opportunities to Mars occur on average only once 
every 26 months. For NEAs the timing and duration of the 
departure windows are dependent on the orbit of the 
particular object. Certain NEAs have long departure 
windows that repeat over a period of years. Others may have 
a number of short opportunities, separated by several 
months. Still others may have a single departure opportunity 
with a total duration of only a few days. 

For most destinations other than the Moon, it will be very 
difficult to develop a mission plan that will allow for the 
targeting of more than a single departure opportunity from 
the assembly point. It is theoretically possible that a NEA 
mission could be designed with a backup destination that 
could be targeted if the departure window for the primary 
destination was missed. In this case the crew launch could 
be delayed or a second crew launch attempted to support the 
backup destination. However, the targeting of a backup 
destination is problematic. First, having to identify a NEA 
with a backup destination that meets the assembled 
transportation system capabilities and has a departure 
window that is close to the one for the primary destination 
could severely limit the number of possible destinations. 
Second, it is anticipated that a large amount of preparatory 
work, including the conduct of robotic precursor mission 
and design of exploration activities, will be completed to 
support the primary destination mission. It would be 
challenging to complete these activities for multiple possible 
targets. 

In addition to the departure window to the destination, there 
are other orbital constraints that could add complexity to the 
launch and assembly process. If the deep space vehicle is 
assembled at a location other than LEO, there will only be 
periodic opportunities to transfer elements and crew to the 
assembly location. In addition, if Moon and/or Earth fly-by 
events are used to aid in the departure to the destination, the 
positioning of those bodies will add further constraints on 
the departure window. 


Launch and assembly reliability could be improved by 
adding time margin to the launch and assembly schedule. If 
launches for all elements and the crew were planned to 
occur earlier, relative to the destination departure window, 
the probability of completing all of the required activities in 
time to meet the departure opportunity increases 
significantly. However, there are additional constraints that 
limit the ability to add time margin to the launch and 
assembly schedule. 

Increasing the amount of time that elements of the deep 
space vehicle loiter at the assembly adds additional risk to 
the assembly process. The probability of system failures 
within the elements or of micrometeorite and orbital debris 
(MMOD) strikes increase as loiter time is extended. 

Crew time in space is also a major issue with adding margin 
to the launch and assembly process. Because the crew 
launch is typically the last launch in the sequence, adding 
margin between that event and the departure window will 
have the greatest impact on reliability. However, there are 
significant issues to adding to the amount of time that crew 
must spend in space. For many of these anticipated deep 
space missions the expected mission time may already be 
greater than one year. These long durations will already 
present challenges to the crew. Requiring the crew to loiter 
at the assembly point prior to departure will only increase 
those risks. Additional time loitering at the assembly 
location also increases the risk that a crew health event will 
occur that requires an abort back to Earth, ending the 
mission. 

The constraints on departure to the destination and on 
loitering at the assembly point will require that a high level 
of reliability be achieved in the launching and assembly of 
spacecraft prior to the departure window. Failure to 
complete launch and assembly prior to the departure 
window would result in mission failure, as the deep space 
vehicle would no longer be able to reach the intended 
destination. 

Types of Risks 

The types of risks involved in the launch and assembly of 
the deep space vehicle can be divided into two major 
categories: Pre-Launch Risks and Post-Launch Risks. 

Pre-Launch Risks are those that occur prior to ignition of 
the main engines of the launch vehicle for any launch that 
supports the mission. These risks involve all of the activities 
required to manufacture, deliver, assemble, and prepare 
each vehicle for launch. 

Manufacturing Reliability — All elements for the deep space 
mission, including deep space vehicle elements, launch 
vehicles, and propulsive elements must be manufactured, 
tested, and delivered to the space center. Delays in these 
activities would delay the launch and assembly schedule. 
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Processing Reliability — Processing capabilities at the space 
center are limited by facilities and personnel constraints. 
These constraints dictate the planned launch schedule for 
elements. Delays in completing element processing and 
launch vehicle assembly could significantly impact the 
launch and assembly schedule. 

Launch Reliability — The launch of spacecraft in Earth orbit 
is notoriously unreliable. Historically, the success rate for 
launching a spacecraft on any specific attempt has been a 
little above 50%. The Space Shuttle launch probability 
throughout its history was 0.53. Even the relatively simple 
Delta II only had a 0.56 launch probability for launches 
between 1989 and 2001 [4]. While many delays are weather 
related or involve minor problems that can be quickly 
corrected, either of which allow the next attempt to occur 
quickly, there are often failures on the launch pad that 
require long periods of time to correct. Conducting multiple 
launches to support a deep space mission increases the 
exposure to launch delays, potentially reducing the overall 
probability of meeting the departure window. 

Post-Launch Risks are those that occur after the ignition of 
the main engines of the launch vehicle and involve all of the 
activities required to position and assemble elements, 
deliver the crew to the deep space vehicle, and prepare for 
departure. 

Launch Failure — The launch and ascent of a vehicle into 
LEO is typically one of the most risky phases in any space 
mission. Conducting multiple launches into LEO to support 
the mission will increase the overall probability of launch 
failure in at least one of the launches. 

Element Failure on Orbit — As elements loiter in LEO or at 
some other potential spacecraft assembly point, there are 
multiple types of failure that can occur that could endanger 
the mission. Potential failures include unrepairable system 
failures within the spacecraft elements, MMOD strikes on 
spacecraft elements, and damage due to radiation exposure. 
These risks increase as loiter period increases. 

Propulsive Failure — Subsequent to launch into LEO, many 
missions will require elements to be relocated to the 
spacecraft assembly location. This will require some form of 
in-space propulsion. Failure or delays with these events 
could result in failure of the overall mission. 

Assembly/Docking Failure — Assembly of the deep space 
vehicle will require that multiple independently launched 
elements be aggregated in space. That will require some 
form of rendezvous and docking of those elements. Because 
the crew will likely not be present when most of the 
assembly events occur, the assembly will involve automated 
rendezvous and docking (ARD) events. Historically, ARD 
has proved troublesome for in-space vehicles and a number 
of failures have occurred. Failure in the assembly of the 
deep space vehicle could result in failure of the overall 
mission. 


Crew Issues — Problems with the crew, including health 
issues and injury, can occur as the crew travels to the 
assembly location, and/or loiters in the deep space vehicle 
prior to departure. Serious crew issues could require abort 
back to Earth and abandonment of the mission. 

The constraints and risks described herein require that 
missions be designed in a way that the total achieved launch 
and assembly reliability will result in an acceptable 
probability of mission success. The reliability and the 
timing of launch and assembly events must be carefully 
evaluated in order to identify and mitigate those risks. 

There is a fundamental tension between adding margin to 
the launch schedule and the amount of in-space risk 
exposure. A balance must be achieved between these factors 
in order to develop an acceptable level of overall reliability. 

This evaluation should occur in conjunction with the 
analysis and design of the launch systems and deep space 
vehicle elements. Because none of these systems and many 
of the technologies that are incorporated into them do not 
yet exist, it is necessary to estimate capabilities and system 
reliabilities. 

3. Concept of Operations for Human Space 
Exploration Missions 

Currently, NASA is analyzing the requirements for beyond 
low Earth orbit missions, including missions to cis-lunar 
space, the Moon, NEAs, and the Mars system. Each of the 
missions, designated a DRM, helps to define the 
transportation and in-space systems required to complete the 
goals of the mission. For many of these DRMs, multiple 
launch vehicles are required to deliver the crew, in-space 
elements and logistics required to support the crew for long 
durations in transit to and at the destinations. In addition, 
these DRMs may include on orbit assembly of vehicles and 
constrained destination departure windows. 

As NEA missions typically include both multiple launch 
vehicles and constrained departure windows, a NEA DRM 
to 99942 Apophis (2004 MN4), Apophis for short, was 
chosen as a test case. Figure 1 shows this example with an 
all-chemical propulsion transportation architecture to a 
NEA. This particular DRM requires three launch vehicles of 
the Space Launch System (SLS) to deliver the crew, in- 
space elements and in- space propulsion stages to an 
assembly orbit. The first launch places the Deep Space 
Habitat (DSH) and Robotics & Exploration Module (REM) 
into the 5-day period High Earth orbit (HEO) through the 
combined propulsion of the launch vehicle and the 
Cryogenic Propulsion Stage (CPS). After arrival of these 
elements, the CPS is undocked and moved into a proper 
disposal orbit. The DSH and REM remain in the assembly 
orbit until the second launch arrives. The second launch 
consists solely of a second CPS. This CPS places itself in 
the assembly orbit and is used for part of the HEO departure 
bum and the NEA arrival burn. The CPS docks to the 
elements in the assembly orbit and waits for the crew 
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arrival. The third launch consists of the Multi-Purpose Crew 
Vehicle (MPCV), crew and a third CPS. This CPS places 
the crew in the assembly orbit and performs a portion of the 
HEO departure burn. After the elements are assembled, 
there is a minimum 9 day checkout period of the DSH & 
REM prior to departing for the NEA. From this HEO, there 
are two departure opportunities, spaced 30 days apart. The 
transit time from leaving the HEO to arriving at the NEA is 
approximately 302 days for this particular NEA. The crew 


then stays at the NEA for 14 days, performing science, 
exploration and EVA activities. Prior to departure from the 
NEA, the REM is undocked and left at the destination to 
perform further science and exploration activities 
robotically. The Crew departs the NEA and transits back to 
Earth in the DSH and MPCV. Prior to Earth entry, the DSH 
and MPCV SM (Service Module) are undocked and 
disposed of at appropriate locations. 
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Figure 1 - Example Design Reference Mission to a Near-Earth Asteroid 


4. Description of Simulation Model 

A stochastic discrete event simulation model was created 
using Rockwell Automation’s Arena simulation software 

[5]. 

Figure 2 provides a high level overview of the model, which 
includes linkages to Excel files for inputs and results. The 
model logic includes entity routing to reflect all of the major 
processes and operations in the launch and assembly 
sequence from manufacturing completion through readiness 
for the destination departure bum - from the assembly 
location. 

The simulation is mn for 1,000 replications, with each 
replication representing one possible manifestation of the 


launch and assembly sequence. The only difference between 
the replications is the random numbers used to drive the 
various risk models. 

Different components of the mission such as in-space 
elements, launch vehicles and crew are represented as 
entities within the simulation. Each replication starts with an 
entity representing the mission reading in all of the manifest 
information regarding planned flight hardware delivery 
dates, planned launch dates, and departure window 
information. The entity then splits into multiple entities 
representing each flight hardware element along with a 
remaining entity that represents the mobile launcher. The 
entities representing flight hardware elements follow the 
routing path shown in Figure 3. 
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Figure 2: Model Overview 



Figure 3: Flight Hardware Elements Entity Routing Within Model 


Each flight hardware entity holds until its planned 
manufacturing completion date, whereupon it is routed to a 
delay risk model where the chance of the manufacturing 
being delayed is analyzed. If a delay occurs the duration of 
the delay is determined using a probability distribution. 

Individual delay risk models were developed for each flight 
hardware element type. For example, historical data for 
Solid Rocket Booster (SRB) elements including Aft Skirts 
and Reusable Solid Rocket Motor (RSRM) segments were 
documented by the Space Shuttle Program on Kennedy 
Space Center (KSC) Milestone Interface charts for each 


Space Shuttle mission. 99 total Milestone Interface charts 
were reviewed. The probability that the Aft Skirts 
experience a manufacturing delay was found to be 
approximately 0.34. The magnitude of the delay ranged 
from 1 to 64 days. The probability of the RSRM segments 
being delayed in manufacturing was found to be 0.454. The 
magnitude of the delays ranged from 1 to 49 days. The 
delay data points for Aft Skirts and RSRM segments were 
analyzed using statistical fitting software (ExpertFit by 
Averill M. Law [6]), which is specifically designed to assist 
discrete event simulation. A Geometric distribution was 
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found to be a reasonable model for the Aft Skirt 
manufacturing delays. A logarithmic distribution was 
determined to be a reasonable model for the RSRM segment 
delays. Alternatively one could use empirical distributions 
built from the historical data sets. 

Historical data for the probability of the Forward 
Assemblies being delayed coming out of manufacturing and 
the magnitude of the delay were not available. During the 
Space Shuttle program, Forward Assemblies completed 
manufacturing well in advance of actual need date and thus, 
were stored in the VAB. This technique was apparently 
successful as no Space Shuttle mission processing 
milestones showed a delay due to Forward Assembly 
availability. Consequently, it is difficult to determine the 
delay model (probability of a delay and duration of the 
delay) for manufacturing completion of the Forward 
Assemblies. The simulation uses a uniform distribution of 0 
to 7 days for the Forward Assembly delay risk model to 
acknowledge that there is risk. Further work such as 
performing sensitivity analysis using alternative risk models 
based upon subject matter expert will be required. 

In the case of the Core Stage and Upper Stage elements of 
the SLS, which have yet to be developed, analog 
information from the Space Shuttle External Tank 
manufacturing history was used. Similarly, the DSH, REM, 
CPS, and MPCV have no manufacturing completion 
history. Since they are in some respects spacecraft sharing 
similar functions with the Space Shuttle orbiter, historical 
data from the history of orbiter delays in coming out of the 
Orbiter Processing Facility was used as their analog for 
manufacturing completion. 

The probability of an External Tank (ET) being delayed 
coming out of manufacturing was found to be 
approximately 0.29. The magnitude of the delay ranged 
from 1 to 56 days and follows a logarithmic distribution. 

Following manufacturing, each flight hardware entity is 
routed from its respective manufacturing site to the launch 
site for offline processing or integration in the Vehicle 
Assembly Building (VAB). Risk models for transportation 
delays are associated with the mode of transportation i.e., 
rail, barge, and tractor-trailer. 

Historical data for RSRM segment shipments between Utah 
and KSC was used for the rail mode delay risk model. 
Assuming an 8-day planned transit, delays occur 
approximately 50% of the time and range from 1 to 4 
additional days. There is also a small probability 
(approximately 8.3E-3) of a train derailment and when this 
occurs the model injects a delay of between 30 and 90 days 
to account for additional time for derailment recovery which 
may include segment inspections, repairs, or replacement. 

The model assumes that both the SLS Core Stage and Upper 
Stage are manufactured at the Michoud Assembly Facility 
(MAF) near New Orleans and require separate shipment by 
barge. Historical data for ET shipments via ocean-going 


barges from MAF to KSC were used for the barge mode 
delay risk model. Assuming a 5-day planned transit, delays 
occur approximately 23% of the time and range from 1 to 6 
additional days. There is also a small probability 
(approximately 1.5E-3) of the barge sinking and when this 
occurs the model injects a delay of 180 days to account for 
additional time to replace the lost flight hardware element 
and the barge. 

The SRB Aft Skirts and Forward Assemblies are towed on 
dollies from their manufacturing completion location on 
KSC to either the Rotation, Processing and Surge Facility 
(RPSF) or VAB. Historical delay data was not readily 
available. The model assumes a Uniform distribution 
between 0 and 2 additional days to account for potential 
delay risk stemming from adverse weather or transporter 
malfunctions. These types of transportation delays tend to 
be 1 or 2 days at most. 

Flight hardware elements requiring offline operations 
include the SRB and RSRM elements, the Upper Stage, and 
all the mission elements — DSH, REM, Block 2 CPS, and 
MPCV. The offline processing occurs for a planned amount 
of time followed by a risk model in which there is a chance 
that the offline processing may take longer than planned. 
The SRB and RSRM offline processing delay risk model is 
based upon directly applicable historical data. Space Shuttle 
orbiter processing data were used as an analog for the other 
elements requiring offline processing. 

Table 1 shows the various probabilities of delays that may 
occur during offline processing, vehicle integration in the 
VAB and operations leading up to the start of launch 
countdown. There is a corresponding empirical delay 
duration distribution for each delay probability. The 
probabilities and duration distributions were derived from 
Space Shuttle historical data after factoring for differences 
between the Space Shuttle and the SLS - MPCV. 

Following completion of its offline activities, the flight 
hardware element entity is routed to the VAB for 
integration. 

Integration in the VAB begins with arrival of the entity 
representing the mobile launcher on its planned arrival date 
and proceeds through preparations for the start of SRB 
stacking. A risk model accounts for the chance that mobile 
launcher arrival and preparations for stacking may be 
delayed. The mobile launcher stacking preparations delay 
risk model is based upon the “Delays to Start of SRB 
Stacking” shown in Table 1. 

After the mobile launcher is verified to be ready, the SRB 
elements begin routing to the VAB for stacking. A delay 
risk model derived from Space Shuttle historical data 
accounts for potential SRB stacking delays that impact the 
subsequent mate of the Core Stage between the twin SRBs. 
See “Delays to Core Stage Mate / Upper Stage Mate” in 
Table 1. 
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The Core Stage does not require offline processing since it 
is assumed to be ready for integration upon arrival from the 
manufacturing site. The model allows it to be stored 
temporarily in the VAB if the SRB stacking has not been 
completed when it arrives. There is a risk model to account 
for potential delays during Core Stage integration. 
Analogous historical data from the ET integration with the 
Space Shuttle was used to develop the risk model. 

Integration of the Upper Stage occurs after Core Stage 
integration completion. There is a risk model to account for 


potential delays during Upper Stage integration. This risk 
model is identical to the Core Stage integration delay risk 
model. 

After Upper Stage integration, the SLS is ready for payload 
integration. This will be an encapsulated payload in the case 
of the DSH-REM on the first launch and the Block 2 CPS 
on the second launch. The MPCV on the third launch is not 
encapsulated but the model assumes that the payload 
integration times are the same for each of the three launches. 


Table 1. Space Shuttle History Derived Processing Delay Probabilities 


Delays to Start of SRB 
Stacking 

Delays to Core Stage 
Mate / 

Upper Stage Mate 

Delays to Payload to 
SLS Mate 

Delays to SLS 
Readiness for Rollout 

Delays to Countdown 
Readiness 

Subcategory 

Delay 

Prob 

Subcategory 

Delay 

Prob 

Subcategory 

Delay 

Prob 

Subcategory 

Delay 

Prob 

Subcategory 

Delay 

Prob 

MLP Post 
Launch Problems 

0.1682 

VAB (Crane 
Problems, 
MLP etc.) 

0.1193 

VAB Crane 
Problems 

0.0190 

Range 

Availability 

0.0476 

SRB Induced 
Delays to Faunch 
Countdown Start 

0.0571 

VAB Problems 
(Crane, etc.) 

0.1405 

RSRM 

Segment 

Delivery 

Delays 

0.0158 

Orbiter 

Availability 

0.6076 

SRB/RSRM 
induced delays 

0.0667 

SSME-MPS 
induced Delays to 
Faunch 

Countdown Start 

0.1274 

VAB Major Mods 
/ Major 
Maintenance 

0.0190 

SRB-RSRM 

Stacking 

Problems 

0.3274 

Miscellaneous 

0.0286 

SSME induced 
delays 

0.0381 

Environment 
Induced delays to 
Faunch 

Countdown Start 

0.0416 

MLP Stack Prep 
Delays 

0.0667 

Cold Weather 

0.0381 



Monoball 
induced delays 

0.1000 

Ground Systems 

0.0429 

Crawler 
T ransporter 

0.0095 

Miscellaneous 

0.0286 



Flight Crew 

0.0000 

Flight Crew 

0.0000 

Aft Booster 
Delivery Delays 

0.0190 





Miscellaneous 

Flight 

Hardware 

0.0467 

Miscelleous Flight 
Hardware 

0.0262 

Miscellaneous 

0.0286 









File: 

GOMES STS Based Risk Factors 2009_10_02 Rl.xlsx 




Sheet: 

SLS Risk Factor Table 





Risk models account for potential delays during payload 
integration, integrated vehicle testing, and preparations for 
rollout to the launch pad. These models were developed 
using historical data from the analogous Space Shuttle 
operations including orbiter mate to the ET, integrated 
testing and preparations for Space Shuttle rollout to the 
launch pad. See “Delays to SLS Readiness for Rollout” in 
Table 1. 

Depending upon the scenario, there may be a buffer prior to 
rollout to the pad that protects for delays that occur prior to 
VAB rollout. This buffer can be sized to help increase the 
likelihood of being able to start the VAB to launch pad 
transfer on the desired date. 

Rollout to the launch pad occurs no earlier than its planned 
date. If delays from manufacturing, transportation, offline 
processing, and integration exceed the available buffer 
amount, if any, then start of rollout to the pad will be 
delayed. 


There is an additional risk model to account for delays for 
the VAB to pad transfer operation stemming from adverse 
weather delays, ground equipment failures, and flight 
hardware problems, known as 11 th hour delays. This risk 
model is based upon the Space Shuttle history of vehicle 
transfers between the VAB and the launch pads as shown in 
Figure 4. 

After the integrated vehicle arrives at the launch pad, pre- 
launch countdown pad operations are conducted. There is a 
risk model to account for delays that can occur at the launch 
pad prior to the commencement of the launch countdown. 
See “Delays to Countdown Readiness” in Table 1. This risk 
model is based upon the Space Shuttle historical data, but 
takes into consideration the reduced amount of time and 
operation planned for the SLS at the launch pad prior to 
launch. 

The model allows for there to be a buffer between the end of 
pre-launch countdown operations and the start of launch 
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countdown. This buffer can be sized to help increase the 
likelihood of being able to start the launch countdown on 
the desired date. 

The launch countdown will start no earlier than its planned 
date. A delay risk model accounts for delays that occur 
during launch countdown. The simulation allows the analyst 
to choose between alternative launch countdown delay risk 
models. The countdown delay risk models are displayed 
with their representative cumulative distribution functions in 
Figure 5. 


One launch risk model is based purely upon Space Shuttle 
a.k.a. Space Transportation System (STS) historical data. 
An alternative model is also based upon the Space Shuttle 
historical data but takes into consideration differences 
between the Space Shuttle and the SLS vehicle 
configuration and concept of operations. The results 
presented in this paper are based upon the STS launch delay 
risk model. 
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If a mission’s no-later-than launch date is going to be 
exceeded, the mission is not actually launched but instead 
the replication is ended and a message is sent to the 
output Excel file stating which mission was too late. 

Once a launch occurs in the simulation, two entities 
proceed down separate paths. The first entity, 
representing the mobile launcher, is routed to logic for 
post-launch refurbishment and transportation back to the 
VAB to begin the integration flow for the next launch. 
There is a risk model to account for potential delays to 
post launch refurbishment. This risk model is based upon 
Space Shuttle historical data. 

The second entity, representing the launch vehicle and 
spacecraft, is routed to a risk model where there is the 
chance that an ascent loss of vehicle event can occur. 

Due to the uncertainty in the ascent reliability that may 
ultimately be achieved by the SLS, three different 
values — optimistic, neutral, and conservative — are used 
for the probability of an ascent failure. The optimistic 
ascent failure rate is based upon the SLS goal to achieve a 
failure rate of 1 in 250, which equates to a 0.4% chance of 
an ascent failure. The neutral estimate is set at 1.5%, 
which is consistent with the Delta II launch vehicle’s 
demonstrated reliability through 149 launches and the 
Space Shuttle’s demonstrated reliability over 135 
missions. The conservative value of 3% is consistent with 
the Soyuz launch vehicle, which is the most flown 


launcher (over 700 launches). Alternatively, the 
conservative setting could be set at 7% based upon the 
current average launch reliability of launchers worldwide 

[7]- 

For a cargo mission, the spacecraft is assumed to be 
destroyed in a loss of vehicle (LOV) event. For a crewed 
mission, the event is categorized as an ascent abort. The 
efficacy of the abort system and resulting crew 
survivability are not modeled. 

Once the spacecraft successfully gets into orbit it takes up 
to 2 days to enter the HEO assembly orbit. The Block 2 
CPS and MPCV entities are routed upon insertion into 
HEO to a risk model where there is a chance that their 
respective rendezvous or dock events fail resulting in a 
loss of mission. 

The Block 2 CPS is planned to make an automated 
rendezvous and dock (ARD) with the DSH in HEO. No 
crew is on-board the DSH to take corrective action in the 
event of an anomaly. Probability of failure for a single 
ARD is estimated to be between 0.015 (optimistic) and 
0.1 (conservative). The Progress automated docking 
system has the most experience and is considered 
sufficiently reliable to be used on the ISS. However, a 
review of 45 automated Progress ISS docking missions 
found that in 7 missions the automated docking system 
failed to such an extent that the crew on board the ISS had 
to take over and conduct a manual rendezvous and 
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docking [7]. This indicates a failure rate of approximately 
16%. There was also an instance where a resupply ship 
unintentionally impacted the Mir space station during a 
re-docking maneuver. 

The probability of a rendezvous and dock failure for the 
crew-assisted MPCV docking with the DSH is much 
lower than that for the fully automated procedure for the 
CPS. The presence of the crew to take over in real time 
mitigates much of the risk. Additionally, the historical 
data for Space Shuttle and Soyuz crew docking with the 
Mir and ISS indicate a high level of reliability. When 
failures do occur they typically get resolved through 
subsequent docking attempts. The risk model uses 
reliabilities ranging from 99.5% (optimistic) to 95% 
(conservative) that the rendezvous and dock will be 
achieved without a failure. If there is a failure, 90% of the 
time the failure is resolved but the model incurs up to a 2- 
day delay in the completion of docking. The other 10% of 
failures result in a loss of mission. 

Once established in HEO, an entity representing each 
spacecraft is sent to a system reliability model where 
there is a daily chance of a system failure resulting in a 
spacecraft loss of mission. This daily risk of system 
failure for each spacecraft in HEO continues until trans- 
NEA-departure. 

Potential failures include MMOD impacts and failures of 
spacecraft systems. Since these spacecraft have not been 
built and operated yet, it is difficult to develop an accurate 
reliability estimate. A range of estimates was used to test 
the sensitivity of the model to various values. The 
optimistic estimate assumes a 2-year in-space design life 
with achieved design reliability of 99%. This equates to 
an approximate 1.0E-5 daily probability of a loss of 
mission failure. The neutral setting and conservative 
setting assumes a 93% and 70% design reliability over 
two years respectively. These settings result in daily loss 
probabilities of 1.0E-4 and 5.0E-4 respectively. 

The model does not, at this time, account for the potential 
that the crew arriving with the MPCV could repair a 
failed DSH, REM, or Block 2 CPS. Instead, if a failure 
occurs the launch of any remaining subsequent elements 
is halted and the replication is ended. 

After the MPCV has rendezvoused with the DSH, the 
crew transfers to the DSH. An entity representing each 
crew member is then routed to a crew health risk model 
where there is a daily probability that a significant 
medical event will develop prompting need to abort the 
mission and return the crew to Earth. Inputs for the crew 


health risk model are based upon work performed by 
NASA’s Integrated Medical Model (IMM) project team 
[8]. The IMM is being developed to respond to a 
significant need identified in NASA’s Human Research 
Roadmap [9] to quantify likelihood and consequence of 
medical conditions that could occur in spaceflight [10]. 

The IMM is responsible for estimating crew health risks 
on the International Space Station (ISS). These include 
risk of crew evacuation (EVAC) as well as the sudden 
mortality risk of loss of crew (LOCL). The ISS is a 
reasonable analog for the DSH, with one notable caveat 
being the medical capabilities on the ISS today versus 
what those capabilities may ultimately be on the DSH. 
This will depend upon DSH mass and volume constraints, 
which may limit what kind of medical kit can be 
supported. 

The IMM derived ISS EVAC rates range from 0.021 to 
0.030 events per person-year. These values coupled with 
the LOCL risk of approximately 0.005 events per person- 
year are used as inputs to the optimistic and neutral 
settings. Their values are 0.0259 and 0.0349 events per 
person-year respectively. For the conservative setting a 
value of 0.072 events per person-year is used, which is the 
high end of the Russian Historical Space Flight Data as 
analyzed by the IMM team [8]. 

The corresponding daily rates are 7.19E-5, 9.72E-5 and 
2.05E-4 LOM health events per astronaut-day 
respectively for the optimistic, neutral, and conservative 
risk settings. The daily risk of a LOM health event 
continues until trans-NEA-departure. 

The replication ends when either there has been a loss of 
mission event or the trans-NEA-departure has occurred. 
At the end of each replication, the model writes results in 
an Excel output file. 

Figure 6 shows an example of the output dashboard in the 
Excel output file. The SLS launch vehicle’s booster type 
is identified in the upper left corner. The shifting 
assumption is also identified in the upper left corner along 
with the planned spacing between launch 1 and 2 as well 
as the planned spacing between launch 2 and 3. The Gantt 
chart on the top of the dashboard presents the launch and 
assembly sequence that the simulation attempted to 
execute in each of the 1,000 replications. Yellow bars 
indicate offline processing activities beginning with the 
first flight hardware elements scheduled manufacturing 
completion date through the final delivery of the payload 
element to the VAB for integration with the launch 
vehicle. 
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Figure 6 - Model Output Dash Board Example 


The three launch flows are displayed with a tri-color bar 
indicating: (1) in purple the Mobile Launcher stacking 
preparations (including post launch refurbishment for the 
second and third launches); (2) in white the activities in 
the VAB beginning with SRB stacking and ending at 
VAB rollout; and (3) in blue the launch pad flow through 
liftoff. 

Green bars and embedded numbers indicate available 
schedule margin (buffers) as well as the HEO to NEA 
destination window. In this example, there is a 30-day 
departure window, protected by a 5 -day crew launch 
buffer. There are 20-day buffers between each of the three 
launches. Each of the launch flows has a 21 -day buffer 
embedded at the end of the VAB flow prior to the vehicle 
being transported to the launch pad and a 7-day buffer just 
prior to the start of launch countdown. 


from manufacturing completion through the planned 
launch. The upper values represent the maximum 
durations, manufacturing completion to actual launch, 
experienced during the 1,000 replications. 

The pie chart provides the proportion of failures for each 
of the major LOM categories: launch campaign failing to 
launch all three missions in time; on-orbit system 
reliability failures; crew health events; ascent reliability 
failures; and rendezvous & dock failures. Below the pie 
chart is the corresponding table showing the count of each 
failure type as well as the total number of failures out of 
1 , 000 . 

The blue column graphic shows the probability for how 
many of the 1,000 replications successfully achieved 
readiness for the trans-destination departure burn within 
the departure window. This is the metric that should be 
maximized. 


The column graphic below the Gantt chart shows shelf- 
life durations for each of the major flight hardware 
elements. The lower values represent the planned duration 


11 


The stock chart above the success metric indicates the in- 
space time for each of the mission elements in HEO prior 
to the departure burn. The chart provides maximum, 
average, and minimum durations experienced. 

The bottom portion of the dashboard shows the various 
experiment settings that were set for the analysis case 
along with the model file name, the Excel file name and 
worksheet, and the date and time the case was executed. 

NASA is currently planning on implementing a minimal 
cost ground architecture called “single-string,” which 
means that there will only be one mobile launcher, one 
VAB highbay to perform SLS integration, and one launch 
pad. Consequently, it will not be possible to process 
launch missions in parallel. In addition to having a single- 
string architecture, NASA is also planning on reducing 
the size of the workforce relative to what it was for Space 
Shuttle operations. This will mean that processing 
operations will not be worked round the clock but will 
instead be limited to 5 days per week at either one or two 
shifts per days. 

The workforce processing assumption can have a 
significant influence of the launch and assembly sequence 


duration. Within the input Excel file, the analyst can 
specify the work force processing assumption, i.e., 5 day 
- 1 shift processing (5x1) or 5 day - 2 shift processing 
(5x2). A 5x1 workforce would be the lowest cost but the 
processing duration would be essentially twice that of a 
5x2 workforce. Figure 7 shows a high level Gantt chart of 
the launch sequence and HEO assembly operations 
assuming 5x1 processing. Figure 8 shows the same 
sequence but with 5x2 processing. 

An effective hours per day normalized to round the clock 
processing over a 365-day year was determined to take 
into account weekends and holidays and other off days 
that are not available to be worked without overtime 
funding. A 5x1 workforce provides approximately 5.5 
hours per day while a 5x2 workforce provides 
approximately 1 1 hours per day. 

The processing times automatically adjust in the Excel 
file based upon the selected processing assumption. For 
example a task that requires 16.5 serial hours would take 
3 days given a 5x1 workforce versus 1.5 days given a 5x2 
workforce. 
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Figure 7 - Launch and Assembly Sequence with 1-Shift (5x1) Processing 
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Figure 8 - Launch and Assembly Sequence with 2-Shift (5x2) Processing 
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5. Description of Cases Analyzed 

A total of 6 cases were explored to represent two alternative 
workforce processing capabilities under varying risks 
settings. The workforce processing cases were 5 day 1 shift 
per day processing (5x1) and 5 day 2 shifts per day 
processing (5x2). Each of these two cases were analyzed 
with the in-space risk factors set at the Optimistic, Neutral, 
and Conservative settings discussed in Section 4 and 
summarized here in Table 2. Because of the uncertainty in 
many of these risk factor settings, cases were analyzed with 
all three settings. 

The first scenario analyzed was the launch sequence as 
initially proposed and using the Optimistic set of risk factor 
settings. This sequence assumed 120-day launch-to-launch 
spacing provided by a 5x2 processing capacity. The 
sequence provided no buffer between the last scheduled 
launch and the opening of the 30-day departure window. 

Using the model in an iterative fashion, the optimal launch 
sequence, as defined by planned launch dates and buffer 
sizes, was then searched for that provides the maximum 
probability of success. The crew launch buffer was limited 
to no more than 40 days due to concerns expressed about 
launching the crew too early. This constraint along with the 
planed LEO to HEO duration of nominally 2 days and the 9 
days of checkout at HEO thus limits the maximum crew 
time in space prior to departure to no more than 5 1 days. 


Table 2. In-Space Risk Factor Settings 


Risk Factors Optimistic 

Neutral 

Conservative 

Ascent LOV-LOM Probability 
(Cargo Launches 

4.00E-03 

1.50E-02 

3.00E-02 

Ascent Abort 
(Crew Launch) 

4.00E-03 

1.50E-02 

3.00E-02 

CPS to DSH / REM Automated 
Rendezvous & Dock Failure 

1.50E-02 

5.00E-02 

1.00E-01 

MPCV to DSH Rendezvous & 
Dock Failure (Crew assisted) 

5.00E-03 

1.00E-02 

5.00E-02 

DSH Daily Loss Probability 

1.00E-05 

1.00E-04 

5.00E-04 

REM Daily Loss Probability 

1.00E-05 

1.00E-04 

5.00E-04 

CPS Block 2 Daily Loss 
Probability 

1.00E-05 

1.00E-04 

5.00E-04 

MPCV Daily Loss Probability 

1.00E-05 

1.00E-04 

5.00E-04 

Crew Health LOM 
(Daily risk per crew member) 

7.19E-05 

9.72E-05 

2.05E-04 


6. Results 

The model dashboard for the first scenario is shown in 



Figure 9. The available margin to protect for launch 
sequence delays includes the 30-day departure window 
since the sequence is set up to theoretically achieve the 
opening of the window. Additionally, assessments of the 
processing timeline indicated that a 5x2 workforce provides 
the capability to achieve a 100-day launch-to-launch spacing 
between cargo launches and 112-day spacing between a 
cargo launch and a crewed launch. Consequently, the Gantt 
chart in the model dashboard reflects 20-day buffers 
between the first 2 launches and an 8-day buffer between 
the 2 nd and 3 rd launch. 

The success probability was quite low at 0.18. The launch 
campaign being late was the primary driver with 814 of the 
replications experiencing a launch campaign failure. There 
was 1 replication that had a crew health failure, 3 that had 
an ascent failure, and 2 that had a rendezvous and dock 
failure. 
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Figure 9 - Dashboard for Initial Results 


The next strategy implemented was to insert buffers that 
would help improve the launch sequence performance but 
not change the given launch dates. There were two areas 
where this could be achieved. The first was to have flight 
hardware complete manufacturing early so that offline 
processing could begin early. In this way, the 
manufacturing, transportation, and offline processing risk 
could be mitigated. Most of the risk was mitigated by 
completing manufacturing approximately 4 months early. 
The second area was to insert a large buffer prior to the 
launch of the first mission. A 90-day buffer was inserted 


prior to rollout to the launch pad and a 14-day buffer just 
prior to starting the launch countdown was included. 

The results are shown in Figure 10. The success probability 
improved to 0.65. The launch sequence was still the primary 
driver. Note how the offline processing bars have increased 
in the Gantt chart and the shelf life durations increased. 

Shelf life durations limits are unknown at this time but may 
restrict the ability to mitigate manufacturing and offline 
processing risk depending upon their requirements. 
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Figure 10 - Dashboard for Improved Results with Buffers 


Following the first two initial analysis runs, the next step 
was to add in a crew launch buffer and insert buffers within 
and between the launch flows. While this does cause the 
launch dates to be earlier than originally planned, and 
results in both longer shelf life durations and flight hardware 
elements being in space longer than planned, the overall 
success probability was improved. 

The results for estimated maximum probability of success 
for each of the six cases are shown in Figure 11. As 
expected, the probability of success is highest when the risk 
settings are optimistic and lowest when the risk settings are 
conservative. Given the optimistic set of risk factors, the 
success probability is approximately 93% regardless of the 
processing capacity. Thus there is no apparent need at first 
glance to have the larger workforce required to achieve 5x2 
processing. 


been truncated for spacing. The pie chart in Figure 12 is 
relatively balanced implying that there is no main culprit to 
blame for the remaining 7% risk of loss of mission leading 
up to the departure burn. 

Of potential concern, however, are the very large values for 
shelf life prior to launch and the time spent in HEO for the 
DSH and CPS Block 2 prior to the departure bum. If these 
durations cannot be supported, then switching to 5x2 
processing might be required in order to reduce the shelf life 
and HEO loiter demands. 

The success probabilities for the neutral risk factor settings 
are approximately 78% with 5x2 processing and 75% with 
5x1 processing.. The difference in success probabilities for 
5x2 processing versus 5x1 processing gets even larger when 
the risk factor settings are at the conservative values. With 
those values the success probabilities are 52% versus 42%. 


Figure 12 shows the simulation dashboard for the optimistic 
case with 5x1 processing corresponding to the 0.927 data 
point in Figure 11. The bottom portion of the dashboard has 
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Figure 13 shows the simulation dashboard for the 
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0.523 data point in Figure 11. Note the reduced shelf life 
durations and HEO loiter durations relative to those in 
Figure 12. 
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Figure 12 - Contributions to Failure for Optimistic Case with 5x1 Processing 
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7. Conclusions and Forward Work 

A capability to perform integrated launch sequence and 
assembly reliability risk has been established. 

Initial findings indicate a significant relationship between 
the risk factor settings and mission success. Consequently, it 
will be important going forward to obtain an accurate 
estimate for the Space Launch System’s ascent reliability, 
the reliability of the mission elements once they have been 
placed in orbit by the SLS, and the crew health risks. 
Understanding the investment required to achieve reliability 
improvements and crew health risk mitigation will also be 
key to making informed trades. 

The influence of the processing capacity upon mission 
success may not be as important as system reliability. 
However, future cost trades may be warranted if system 
reliabilities are less than the optimistic values. Additionally, 
other emerging constraints upon flight hardware pre-launch 


shelf life and in-space design life may necessitate quicker 
launch-to-launch times than provided by a 5x1 work force. 

Forward work includes updates to risk factors and adding 
additional constraints as they emerge from the NASA 
programs designing, building and operating the systems that 
will be required for the Design Reference Missions. The 
models will also be extended to account for beyond the 
departure burn readiness point risks. 
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